Add SRS support with postsrsd

defaults/main.yml

@@ -53,3 +53,7 @@ postfix:
   metrics_address: "127.0.0.1:9154"
   recipient_canonical_maps: ''
   local_header_rewrite_clients: ''
+  srs:
+    enable: false
+    domain: ~
+    exclude_domains: []

handlers/main.yml

@@ -6,3 +6,6 @@
 
 - name: restart prometheus-postfix-exporter
   service: name=prometheus-postfix-exporter state=restarted
+
+- name: restart postsrsd
+  service: name=postsrsd state=restarted

tasks/main.yml

@@ -18,6 +18,23 @@
   notify:
   - restart prometheus-postfix-exporter
 
+- name: install postsrsd
+  when: postfix.srs.enable
+  apt:
+    pkg:
+    - postsrsd
+
+- name: configure postsrsd
+  when: postfix.srs.enable
+  template:
+    src: postsrsd.j2
+    dest: /etc/default/postsrsd
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+  - restart postsrsd
+
 - name: Install and setup utilities for LDAP
   when: postfix.ldap.enable
   block:

templates/main.cf.j2

@@ -154,5 +154,11 @@ non_smtpd_milters = {{ ' '.join(postfix.non_smtpd_milters) }}
 # passwords or other confidential information
 notify_classes =
 
-recipient_canonical_maps = {{ postfix.recipient_canonical_maps }}
+{% if postfix.srs.enable %}
+sender_canonical_maps = tcp:localhost:10001
+sender_canonical_classes = envelope_sender
+{% endif %}
+
+recipient_canonical_maps = {{ postfix.recipient_canonical_maps }}{% if postfix.srs.enable %} tcp:127.0.0.1:10002{% endif %}
+
 local_header_rewrite_clients = {{ postfix.local_header_rewrite_clients }}

templates/postsrsd.j2

@@ -0,0 +1,62 @@
+# Default settings for PostSRSd
+
+# Local domain name.
+# Addresses are rewritten to originate from this domain. The default value
+# is taken from `postconf -h mydomain` and probably okay.
+#
+SRS_DOMAIN={{ postfix.srs.domain }}
+
+# Exclude additional domains.
+# You may list domains which shall not be subjected to address rewriting.
+# If a domain name starts with a dot, it matches all subdomains, but not
+# the domain itself. Separate multiple domains by space or comma.
+#
+SRS_EXCLUDE_DOMAINS={{ postfix.srs.exclude_domains|join(',') }}
+
+# First separator character after SRS0 or SRS1.
+# Can be one of: -+=
+SRS_SEPARATOR==
+
+# Secret key to sign rewritten addresses.
+# When postsrsd is installed for the first time, a random secret is generated
+# and stored in /etc/postsrsd.secret. For most installations, that's just fine.
+#
+SRS_SECRET=/etc/postsrsd.secret
+
+# Length of hash to be used in rewritten addresses
+SRS_HASHLENGTH=4
+
+# Minimum length of hash to accept when validating return addresses.
+# When increasing SRS_HASHLENGTH, set this to its previous value and
+# wait for the duration of SRS return address validity (21 days) before
+# increading this value as well.
+SRS_HASHMIN=4
+
+# Local ports for TCP list.
+# These ports are used to bind the TCP list for postfix. If you change
+# these, you have to modify the postfix settings accordingly. The ports
+# are bound to the loopback interface, and should never be exposed on
+# the internet.
+#
+SRS_FORWARD_PORT=10001
+SRS_REVERSE_PORT=10002
+
+# Drop root privileges and run as another user after initialization.
+# This is highly recommended as postsrsd handles untrusted input.
+#
+RUN_AS=postsrsd
+
+# Bind to this address
+#
+SRS_LISTEN_ADDR=127.0.0.1
+
+# Jail daemon in chroot environment
+#
+CHROOT=/var/lib/postsrsd
+
+# Additional Options
+# PostSRSd understands a few rarely needed extra options:
+# -A     always rewrite email addresses, even from SRS_DOMAIN
+# -t<n>  set connection timeout to <n> seconds (default: 1800)
+#
+#SRS_EXTRA_OPTIONS=-A